Google DeepMind’s NHS data deal 'failed to comply' with law

The UK’s data protection watchdog has ruled that a deal to share 1.6 million NHS patient records with the Google-owned artificial intelligence company DeepMind “failed to comply with data protection law”. The data-sharing agreement was first revealed by New Scientist in April last year, and after a year-long investigation the Information Commissioner’s Office has found shortcomings in how the data was handled.

The agreement gave DeepMind access to patient data from the Royal Free London NHS Trust to help develop an app called Streams, which would monitor kidney disease. The ICO found that patients were not properly informed that their data would be used in this way and that the trust should have been more transparent about the arrangement.

“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights,” said Elizabeth Denham, the information commissioner.

Advertisement

The ICO can issue fines of up to £500,000, in this case around £0.30 per patient, for breaches in data protection law, or issue an enforcement notice requiring DeepMind to delete or stop using the data. However, there is no mention of either of these courses of action in the press release from the ICO. Instead, they say the Royal Free will now have to “establish a proper legal basis under the Data Protection Act for the Google DeepMind project”.

Both the Imperial College NHS Foundation Trust and the Taunton and Somerset NHS Foundation Trust have since signed agreements with DeepMind to use its Streams app.

“We welcome the ICO’s thoughtful resolution of this case, which we hope will guarantee the ongoing safe and legal handling of patient data for Streams,” said DeepMind in a statement responding to the ruling. “In our determination to achieve quick impact when this work started in 2015, we underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health.”